Looking after your Passwords

I’ve already written recently about passwords, but the headlines this morning about the cyber attack on TalkTalk’s web site are a timely reminder again to all of us about the need to think carefully about how we use passwords online. It may be a while before they find out exactly how the attack happened, and what information the hackers may have got their hands on, but I thought that the Chief Executive, Dido Harding, provided this morning very sound advice to their customers in the circumstances.

One piece of advice related to passwords. Most of us now use so many online services that it is just not practical to have an individual password for each one – nobody is going to remember that, and you’d end up writing them down. Probably not very smart. However, the other extreme – using the same password for everything – isn’t particularly smart either, especially if you also use the same username (which might, for example, be an email address).

If you use the same password across many web sites, then if any one of these is successfully hacked it is possible that hackers will be able to find your password. Once they’ve done that, it’s an easy task for them to try out your password on other sites – your email for example. If they manage to gain control of your e-mail account they can start to impersonate you and cause all sorts of mayhem in your life. It can be very hard to get control of your email account back in this circumstances – most of the major email providers allow you to provide a backup email address and mobile phone number for these situations, so make sure you have these registered.

This can also present a security risk to University systems. If you use the same password to access your University IT Account and lots of other personal accounts, then you could be putting your University account at risk. If one of your personal accounts was hacked, and the hacker knew (or just guessed) that you worked at RGU, they could gain access to your RGU details. Might be a long shot, but I know an organisation where something very similar to this happened.

It may not be practical to have different passwords for absolutely everything, but think carefully about what is really precious to you and use a range of passwords. I would recommend, unless you’re not bothered about losing money, that the passwords you use for any online banking or investments are unique for each account and not used anywhere else. I would also recommend that you at least use a unique password for work, and a unique password for your personal email account and things like Facebook if you use them regularly. Money, work, and your core means of identity and communication – these things are important.

Beyond that it’s up to you – there will be many accounts where you are happy to reuse a password where the risks are lower. Have an Interflora account? Well, maybe a hacker will send a bunch of flowers to their granny – that’s not quite as bad as losing your life savings. Of course, even in these cases, if you think one of them has been breached it is important to change the password you use but at least the stakes are lower while you go about this.

It’s a good idea to keep a list of all your online accounts somewhere to jog your memory. If you really had to change all your passwords, can you really remember everything you’ve signed up to? And if you are finished using any online service – delete your account. It’s one thing less to worry about.